Download Winlogbeat and place in same directory as script or in $PATH
PS>
Import-Module evtx2mordor.ps1 -Force
Convert-EvtxToMordorJSON -EvtxFile file.evtx -OutFile file.json # can add -Verbose to get more detailed output
Mordor exports are typically tar + gzip'd. You can compress the output file using 7zip. Example:
7z.exe a -ttar -so -an .\file.json | 7z.exe a -si file.tar.gz
| function Convert-EvtxToMordorJSON { | |
| Param ( | |
| [ValidateScript({Test-Path (Resolve-Path $_).Path})] | |
| [String]$Config="$pwd\evtx2mordor.yml", | |
| [Parameter(Mandatory=$true)] | |
| [ValidateScript({Test-Path (Resolve-Path $_).Path})] | |
| [String]$EvtxFile, | |
| [Parameter(Mandatory=$true)] | |
| [String]$OutFile | |
| ) | |
| BEGIN { | |
| $WLB = "" | |
| if (!(Get-Command "$pwd\winlogbeat")){ | |
| Write-Verbose "Couldn't find winlogbeat in current directory" | |
| if (!(Get-Command "winlogbeat")){ | |
| Write-Verbose "Couldn't find winlogbeat" | |
| exit 1 | |
| } | |
| else { $WLB = "winlogbeat.exe"} | |
| } | |
| else { $WLB = ".\winlogbeat.exe"} | |
| $EvtxFile = Resolve-Path $EvtxFile | |
| $Config = Resolve-Path $Config | |
| if (Test-Path ".\data\") { Remove-Item ".\data\" -Recurse } | |
| if (Test-Path ".\logs\") { Remove-Item ".\logs\" -Recurse } | |
| if (Test-Path $OutFile) { Remove-Item $OutFile } | |
| New-Item -Type File -Path $OutFile | Out-Null | |
| $OutFile = Resolve-Path $OutFile | |
| Write-Verbose "Using config $Config" | |
| Write-Verbose "Using evtx $EvtxFile" | |
| Write-Verbose "Using outfile $OutFile" | |
| $OutFilePath = Split-Path $OutFile | |
| $OutFileName = Split-Path $OutFile -Leaf | |
| $Command = "$WLB -c $Config -E INFILE=`"$EvtxFile`" -E OUTPATH=`"$OutFilePath`" -E OUTNAME=`"$OutFileName`"" | |
| Write-Verbose "Command: $Command" | |
| Invoke-Expression $Command | Out-Null | |
| } | |
| } |
| winlogbeat.event_logs: | |
| - name: "${INFILE}" | |
| no_more_events: stop | |
| output.file: | |
| path: "${OUTPATH}" | |
| filename: "${OUTNAME}" |